11 · Onboarding · Manufacturers

Onboarding Manufacturers

Andi Lamprecht ·2026-05-11· 7 min read· Draft

Lifecycle event. A manufacturer org cannot mint ATOMx-compatible aircraft until ATOMx has issued it a Manufacturer Intermediate CA. This page documents the onboarding gate. The certificate substrate is in PKI and Chains of Trust; the aircraft-side hardware model is in Aircraft Hardware Identity.

1. Why Manufacturer Onboarding Exists

Aircraft identity in ATOMx is rooted in the OEM. An aircraft proves who it is by presenting a certificate signed by the manufacturer’s intermediate CA, which itself chains to the ATOMx Root. If any OEM could obtain that intermediate CA without diligence, every aircraft they minted would become a trust anchor for the platform. Onboarding gates the issuance of that intermediate CA.

2. The Five Onboarding Gates

#	Gate	What It Establishes
1	Eligibility review	Corporate identity, regulatory standing, export-compliance posture, supply-chain attestation
2	Technical conformance	The OEM demonstrates a manufacturing line that provisions a hardware secure element on each airframe and binds an OEM-signed certificate to it
3	Key ceremony	The OEM private key for its intermediate CA is generated inside the OEM’s own HSM and never leaves it. The OEM produces a CSR; ATOMx signs it using the Root HSM under dual control. The OEM never sees the Root private key.
4	Manufacturing SDK	OEM receives the firmware integration kit (broadcast format, capsule verification routines, attestation reporting interface)
5	Batch attestation contract	OEM commits to submitting signed manufacturing batch records to ATOMx — which serial numbers were minted, when, with which firmware version

3. Key Ceremony Sequence

    sequenceDiagram
    autonumber
    participant OEM
    participant ATOMx
    participant HSMa as ATOMx Root HSM
    participant HSMo as OEM HSM
    OEM->>ATOMx: Apply for manufacturer credential
    ATOMx->>OEM: Eligibility + conformance review
    OEM->>HSMo: Generate OEM intermediate keypair
    HSMo-->>OEM: CSR
    OEM->>ATOMx: Submit CSR + attestation
    ATOMx->>HSMa: Sign OEM Intermediate CA cert under Root
    HSMa-->>ATOMx: Signed cert
    ATOMx-->>OEM: Issue OEM Intermediate CA cert + SDK
    Note over OEM,ATOMx: OEM may now mint per-aircraft certs at the factory

4. The Two Independent Chains

Once onboarded, the OEM operates one of two cert chains for every aircraft it ships. The other (TPM chip provenance) is operated by the TPM chip manufacturer, independently. Both chains must be present and cross-referenced for an aircraft to verify. See Aircraft Hardware Identity §2.

5. Specifications, Compliance, and Commercial Terms

5.1 HSM Requirements

Property	Requirement
FIPS 140-3 level	Level 3 minimum for OEM Intermediate CA HSM; Level 4 acceptable
Key generation	All key material generated inside the HSM; never exportable in plaintext
Ceremony control	Dual-control / m-of-n quorum on the OEM side, recorded and witnessed
Acceptable vendors	Thales, Entrust, AWS CloudHSM, Azure Dedicated HSM, YubiHSM 2 (FIPS), or equivalent — ATOMx maintains a current accepted-vendor list
Attestation	OEM provides a vendor attestation that the keys were generated on a compliant HSM

5.2 Compliance Posture

Standard	Applies To	Source
NDAA Section 889	Federal customer-facing OEMs	Bill of materials attestation; covered foreign-origin components excluded
TAA	Federal procurement	Country-of-origin attestation
CMMC	Defense-industrial-base OEMs	Level 2 minimum for handling controlled unclassified; Level 3 for select programs
ITAR / EAR	Defense / dual-use platforms	Export-classification declaration; ATOMx onboarding does not transfer ITAR-controlled material
Blue UAS / Trusted Component	Federal-program OEMs	Listing and component-set attestation

5.3 Commercial and Contractual Terms

ATOMx does not publish standard pricing here — those terms are negotiated per OEM. Onboarding contracts cover:

Per-OEM onboarding fee plus annual maintenance
HSM cost borne by the OEM (ATOMx does not host the OEM intermediate)
SDK license terms and update cadence
Liability allocation for fraudulent or non-conforming aircraft minted under the OEM CA
Indemnity limits and incident-response commitments
Data-handling terms for batch attestation records

6. Ongoing Obligations

After onboarding, the OEM:

Submits signed batch attestations for each manufacturing run
Maintains a CRL for its issued aircraft certificates (or migrates to short-lived certs renewed at routine check-in)
Participates in scheduled Manufacturer CA rotations (target: 5-year rotation with overlapping validity)
Reports security events affecting its assembly line, firmware, or HSM

7. Incident Response and De-Listing

7.1 OEM Security Incident

If an OEM detects a security incident affecting its signing infrastructure, manufacturing line, or firmware integrity, it must notify ATOMx within a contractually-defined window (typically 24 hours). ATOMx may:

Pause new aircraft minting under that OEM until investigation completes
Trigger emergency rotation of the OEM Intermediate CA
Issue a CRL update covering affected aircraft serials
Coordinate with operators flying affected airframes

7.2 De-Listing

An OEM may be de-listed for cause — repeated batch-attestation discrepancies, failure to remediate a security event, loss of regulatory standing, NDAA violation, or other contractually-defined trigger. De-listing has cascading effects:

Outcome	Mechanism
New aircraft minting halted	OEM Intermediate CA marked end-of-life
Already-minted aircraft remain valid until expiry or revocation	Existing flights are not grounded mid-operation
Operator notification	Affected operators receive remediation timelines
Mass revocation (worst case)	If de-listing reflects compromised signing keys, all aircraft signed by that OEM Intermediate are revoked via CRL update; operators must re-onboard with a different OEM

De-listing is rare; the procedural process targets months, not days, to allow operators to migrate.

7.3 Mergers, Acquisitions, and Divestitures

OEM corporate change events do not automatically transfer the Manufacturer Intermediate CA. The acquiring entity must complete a streamlined re-eligibility review and either:

Continue operating the existing OEM Intermediate CA under the same identity and key material (preferred)
Replace it with a new Intermediate CA under the new entity’s identity, with a defined cross-signing window for in-field aircraft

Divestitures (one OEM splits into two) require a separate Manufacturer Intermediate CA per resulting entity, with clear ownership of the original aircraft fleet.

8. Cross-References

The aircraft-side event that produces a per-airframe identity: Onboarding Aircraft
The cert chain anchored at the Root CA: PKI and Chains of Trust §5
The full disconnected-ops trust hierarchy this fits into: Disconnected Operations §2.2

Implementation Readiness — Open Questions

Each entry below identifies a decision not yet locked. Items marked (ADR) should be formalized as an Architecture Decision Record before implementation begins. Items marked (blocking) must be resolved before the relevant feature can be built.

#	Question	Owner	ADR?	Blocking?
1	Which language(s) and target platforms will the Manufacturing SDK support (C/C++, Rust, Go), and what is the public API surface for key-injection, attestation, and provisioning calls?	engineering	ADR — “Manufacturing SDK Language & API Surface”	Yes
2	What is the OEM Portal architecture (tenant isolation model, auth via Okta federation vs. external IdP, hosting boundary for ITAR-restricted OEMs)?	engineering + product	ADR — “OEM Portal Architecture & Tenant Isolation”	Yes
3	What is the batch-attestation manifest file format (schema, signing envelope, COSE vs. JWS), and what is the required submission cadence (per-batch, daily, on-completion)?	engineering	ADR — “Batch Attestation Manifest Format & Submission Cadence”	Yes
4	What is the signed-firmware-update protocol, including PCR roll-forward semantics, rollback protection, and recovery on failed measurement?	engineering	ADR — “Signed Firmware Update & PCR Roll-Forward Protocol”	Yes
5	How is the OEM CRL distributed and refreshed (OCSP stapling, CRLite, pull cadence, offline propagation for disconnected fleets)?	engineering	ADR — “OEM Certificate Revocation Distribution”	Yes
6	What are the OEM key-ceremony specifics: M-of-N quorum thresholds on the OEM side, ceremony-script template, witness/video retention policy, and FIPS 140-3 HSM model approval list?	engineering + legal	ADR — “OEM Key Ceremony & Witness Retention Standard”	Yes
7	What is the eligibility-review rubric — explicit pass/fail criteria, scoring weights, and appeal mechanism for NDAA/CMMC/ITAR posture assessment?	product + legal	No	Yes
8	What are the commercial terms: who pays for the ATOMx-supplied HSM and integration engineering time, partner-program tiering (Bronze/Silver/Gold), and revenue-share or per-unit licensing model?	business-development	No	No
9	What are the audit-rights contract terms, indemnity caps, insurance minimums (cyber + product liability), and the legal process for de-listing (notice period, cure window, dispute resolution forum)?	legal + business-development	No	Yes
10	What is the OEM Portal SLA (uptime, support response times, incident-response RACI between ATOMx SOC and OEM), and how is M&A succession handled (assignment clause, re-attestation trigger, key-material transfer procedure)?	product + legal	ADR — “Incident Response RACI & M&A Succession”	No

Last updated on May 11, 2026

10 · System Design 12 · Onboarding · Aircraft